Changing Tableau Server log entries severity: The untold story of disassembling
April 6, 2016
, , , , ,

IDA ProI usually post things that are experimental, breaks the licensing terms, terminates the support but this day I will go beyond. Do not try this at home or your work place and again, no warranty. Really.

So the story starts with one of my current challenge in Tableau Server administration. On default log level (where native_api.log.level  equals to info) you do not see from the vizqlserver logs what are the connected data server sessions for the vizql sessions. This is generally a pretty useful information for debugging: when one workbook behaves differently with published data source the data server log should be the first stop. But to match the dataserver.log with vizqlserver.log on a crowded server is somewhat a challenge.

The log entry

When debug level is “debug” we can see the following lines in the log:

This is pretty self-explanatory. VizQL Session 95D60B21B0B04029B2A1BF7A68591B9C  connected to Data Server session 302FD29F9BF44F85BF969824F97636BE . But turning on debug logs even for native apis are painful. It produces at least ten times more log entries than info, that could potentially slow down the system and fill up the space. Can’t we just tell to Tableau to log this in default info log level?

Of course we can, but this would require some attitude.

Finding what to change

One thing is sure, we should shoot for the string  “ACTION: Created new dataserver session“. I’m an old school guy using Total Commander to search for strings. Since Tableau Server uses wchars (unicode16 encoding) you should tick this as well.

Please note the option "UTF 16"

Please note the option “UTF 16”

We have our guy, the good old tabsrv.dll. Lets have a look in it. As I told you I’m old fashioned, kinda old school, therefore IDA Pro is my tool of choice to tap into binaries. After loading the DLL lets search for the same string:

Screen Shot 2016-04-06 at 18.24.04

Now we found or function, that looks like:

What happens here? On line 12 we found or log string what we are looking for! It’s concatenated (sub_180026994 is TString’s concat function) with the session id. But the main thing is in line 17 where we add “1” to an 8bit register (CL) then call the misterious function sub_180064654. What is in sub_180064654?

Screen Shot 2016-04-06 at 18.32.01

This function calls LoggerAcceptsSeverity – so we are on the right spot

This should be the logger itself: it calls LoggerAcceptsSeverity  with the first parameter CL, the one that contains 1. We can make a safe assumption that the first parameter is severity, thus lets change CL register’s value from 1 to 2. For this open the hex view and navigate to the location highlighted in the IDA View-A when you mouse over MOV CL,1 .

Just change 01 to 02 - from debug to info

Just change 01 to 02 – from debug to info

Save this back to the binary file tabsrv.dll and restart Tableau Server. After navigating to workbooks using data server we clearly see that our patch did the job, this time the severity is “info“.

Hurray! Now we can connect vizql sessions with data server sessions without turning the debug logs on. Thanks to disassembling we were able to change how Tableau behaves and this is just the beginning.

If you have any questions just drop a line, I try my best to answer.


Tamás Földi

Related items

/ You may check this items as well

sync frelard

Tableau Extensions Addons Introduction: Synchronized Scrollbars

At this year’s Tableau Conference, I tried t...

Read more

Tableau External Services API: Adding Haskell Expressions as Calculations

We all have our own Tableau Conference habits.  M...

Read more
Scaling Tableau Image

Scaling out Tableau Extracts – Building a distributed, multi-node MPP Hyper Cluster

Tableau Hyper Database (“Extract”) is ...

Read more